Generate in-toto attestations from policy results

[lulf]

Generating in-toto attestations from seedwing policy based on policy and the evaluation results could be useful to later verify that a particular build/artifact met the policy requirements at the time.

[danbev]

The following is a suggestion what this attestation might look like which follows the format of in-toto predicates like SPDX, SLSA Provenance, CycloneDX etc.

---

Predicate type: Seedwing Policy

Type URI: https://seedwing.io/policy/v0.1

Version: 0.1

Purpose

The purpose of this predicate is to provide proof that a policy rule has been
evaluated.

Prerequisites

The in-toto attestation framework and a Seedwing Policy Engine.

Model

This is a predicate type that fits within the larger Attestation framework.

Schema

TODO:

Parsing Rules

TODO:

Fields

The predicate contains a JSON-encoded Seeding Policy Engine Result.

The subject contains whatever rule/pattern that was evaluated.

Example

{
  // Standard attestation fields:
  "_type": "https://in-toto.io/Statement/v0.1",
  "subject": [{
    "name": "some_pattern_name",
    "digest": { "sha256": "4fec91ebb3dd2ed2f3a620c97acde9fd5805cf0895a651bc6d294bf6e3f0faa83"
  }],

  // Predicate:
  "predicateType": "https://seedwing.io/policy/v0.1"
  "predicate": {
    "evaluationResult": {}
  }
}

Changelog and Migrations

Not applicable for this initial version.

[danbev]

I'm trying to think a use case for this but failing to think of one.